The most dangerous signature in financial services was filed two days ago

April 15 wasn’t just tax day. It was the deadline for every NYDFS-regulated entity to certify compliance with the final provisions of 23 NYCRR Part 500. Roughly 3,000 covered entities. Two signatures per filing, CEO and CISO. Both personal. Both attesting that their organization has implemented universal MFA and maintains a complete, documented asset inventory of every information system they own.

Most of those signatures were lies. Not deliberate ones. Convenient ones. We call it Blue Sky, they were intended to be true just never got there. 

Universal MFA doesn’t mean MFA on the VPN. It means MFA on every information system accessed by every user, employees, contractors, vendors, third parties, the offshore developer your MSP never mentioned. NYDFS has been explicit since 2021 that SMS and push notifications are not adequate. The standard is phishing-resistant, FIDO2, hardware keys, device-bound biometrics. If your firm is still relying on six-digit text codes, your CEO just personally certified to a regulation your firm doesn’t meet.

The asset inventory provision is worse. The rule requires written policies producing a complete, accurate, current inventory of every information system, specifying owner, location, classification, support expiration date, and recovery time objective. Not just the systems holding nonpublic information, every system in scope of the risk assessment. Most firms don’t have this. They have a spreadsheet someone updated in 2023, a CMDB their MSP loosely manages, and a hope that nobody examines too closely.

The math is brutal. $2,500 per day per violation under New York Banking Law. Recent enforcement actions have run from $2 million to $30 million. The Acting Superintendent has already restated the position that covered entities cannot delegate compliance to third-party service providers, meaning your MSP’s failure is your CISO’s signature, your CEO’s signature, your liability.

Here’s what nobody is saying out loud. The certification isn’t a compliance milestone. It’s a discovery document. The next breach at a covered entity will be cross-referenced against the April 15 attestation. If the filing said yes and the forensics prove no, the conversation stops being about cybersecurity and becomes about fraud.

If you signed something you shouldn’t have, the window to amend is open and shrinking. If you advised someone to sign, the window to retract is the same.

We don’t deploy juniors to opine on personal liability filings. Senior SMEs only. Book the assessment now that supports an honest 2026 attestation, before the next exam letter forces the question.